[Ascend] (ASCEND) ICRADIUS and an APX

[Matthew Watkins]

Anybody out there have experience using ICRADIUS
(http://icradius.hislora.com.au/) with either the Lucent APX or TNT
products?

We've configured an APX for typical ISP-style remote-access, and the Radius
server crashes out as soon as it receives the first authentication request.
More specifically, the first attempt generates 20 or so lines of errors
before the radius process quits abruptly and has to be manually restarted.

Using the "Radauth" command on the APX seems to work happily enough:

admin> help radauth
radauth  authenticate a name and password via RADIUS.
 usage: radauth "name" "password"
    The double-quotes may be omitted if the parameter [name, password]
    does not contain embedded spaces.

admin> radauth matt.watkins knowware
...radauth request queued, awaiting response
radauth: 2
admin>

Connecting an E1 and waiting for a call is a different matter, the first
user authentication attempt kills the radius server process. I would assume
it is somehow related to the attributes the APX is sending in the
authorisation request? We've imported the Ascend dictionary from the
ftp.ascend.com site, but this has had no bearing on the problem. I suspect
it may be a dictionary problem, but crashing out seems to be a rather severe
response?

The customer has been happily running PM-4s through their current system for
some time, and I've personally installed two APX chassis into other ISPs
without any such problems. Changing RADIUS software is not really viable in
the short-term, although I have recommended that the customer take a close
look at Radiator (http://www.open.com.au/radiator/). I've reset the nvram on
the APX and quickly attempted to set the chassis up from scratch, but
simplifying the configuration has not helped.

The APX "external-auth" settings are below, with addresses blanked out to
protect the innocent. Almost everything is set to the chassis defaults, with
the bare minimum of changes. I'm waiting for the customer to forward me all
relevant output from the ICRADIUS logs.

We have attempted tweaking many of the settings to coax the system into
working, but haven't had any luck yet.

I am not currently subscribed to the ICRADIUS list, so please copy me in any
replies to the list if you have any useful advice.

- Matt


admin> read external-auth
EXTERNAL-AUTH read
admin> list
[in EXTERNAL-AUTH]
auth-type = RADIUS
acct-type = none
rad-id-space = distinct
rad-id-source-unique = port-unique
rad-serv-enable = no
rad-auth-client = { #.#.#.# 0.0.0.0 0.0.0.0 1645 0 ******* no 1 no no no +
rad-acct-client = { 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" 1 0 acct-base-10 0 0 yes
0 n+
rad-auth-server = { 0 no rad-serv-attr-any [ 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
0.+
tac-auth-client = { 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" 0 }
tacplus-auth-client = { 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" 0 0 }
tacplus-acct-client = { 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" }
local-profiles-first = lpf-yes
noattr6-use-termsrv = yes
clid-password = ***********
dnis-password = ***********

admin> list rad-auth-client
[in EXTERNAL-AUTH:rad-auth-client]
auth-server-1 = #.#.#.#
auth-server-2 = 0.0.0.0
auth-server-3 = 0.0.0.0
auth-port = 1645
auth-src-port = 0
auth-key = *******
auth-pool = no
auth-timeout = 1
auth-rsp-required = no
auth-id-fail-return-busy = no
auth-id-timeout-return-busy = no
auth-sess-interval = 0
auth-TS-secure = yes
auth-Send67 = yes
auth-frm-adr-start = no
auth-boot-host = 0.0.0.0
auth-boot-host-2 = 0.0.0.0
auth-boot-port = 0
auth-reset-time = 0
auth-id-max-retry-time = 0
auth-radius-compat = old-ascend
auth-keep-user-name = change-name
auth-realm-delimiters = /\@%
id-auth-prefix = ""
allow-auth-config-rqsts = yes

admin>

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request at bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>